Blockchain & Cryptocurrency , Cryptocurrency Fraud , Cyberwarfare / Nation-State Attacks
First US Sanction of a Virtual Currency Mixer: Blender.io
Treasury Says North Korea's Lazarus Group Used Mixer to Launder Stolen CryptoThe United States sanctioned virtual currency mixer Blender.io on Friday for its role in enabling the Democratic People's Republic of Korea - North Korea - to conduct "malicious cyber activities and money laundering of stolen virtual currency."
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Virtual currency mixers or tumblers help obscure the original source of funds. For instance, if you put in one crypto coin that needs obfuscation, the tumbler breaks it up into multiple pieces, mixes the pieces up with other clean coins and then redistributes random increments of the tumbled coins to designated cryptocurrency wallets at random times.
This is the first instance of the Treasury Department's Office of Foreign Assets Control imposing sanctions on a digital asset mixing service.
The Treasury's move is a significant one, as it "clearly sends a message to the cryptocurrency industry that anyone who facilitates the movement or obfuscation of sanctioned entities will be held accountable. The same goes, if you assist a sanctioned entity," says William Callahan, a Drug Enforcement Administration veteran who established the agency's money laundering audit team and helped develop policy and procedures for undercover operations involving cryptocurrency.
The latest sanctions indicate that all property belonging to Blender.io, owned in the U.S. or by U.S. citizens, will be blocked. If any of the blocked individuals own more than 50% of any entity, that entity will also be blocked. The sanctions also prohibit U.S. persons from conducting any transactions with the blocked persons. The Treasury released a 28-page document in October 2021 on sanctions compliance guidance for the virtual currency industry.
"Today, for the first time ever, Treasury is sanctioning a virtual currency mixer," says Brian E. Nelson, undersecretary of the Treasury for terrorism and financial intelligence. "Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money laundering enablers to go unanswered."
The Treasury Department, in its statement, adds: "The DPRK has resorted to illicit activities, including cyber-enabled heists from cryptocurrency exchanges and financial institutions to generate revenue for its unlawful weapons of mass destruction and ballistic missile programs."
Blender.io, operating on the Bitcoin blockchain, "indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties," the Treasury statement says. "Blender.io has helped transfer more than $500 million worth of Bitcoin since its creation in 2017."
The agency did not immediately respond to Information Security Media Group's request for comment on how it traced the illicit transactions to Blender.io, whether the laundered funds have been recovered or not, or what its next steps are.
Link to Lazarus, Ransomware Groups
The sanctioned mixer was used by North Korean hacking group Lazarus to launder more than $20.5 million of the $620 million it stole from Axie Infinity, a non-fungible token-based online video game, according to the Treasury statement. The state-sponsored group's attack on Axie is the largest virtual currency heist recorded, to date. (See: Update: Crypto Hackers Exploit Ronin Network for $615 Million)
Axie Infinity is run by Sky Mavis. Its co-founder Aleksander Leonard Larsen did not respond to ISMG's request for comments on the sanctions and what the move may mean for the company's stolen funds.
OFAC has also identified four additional virtual currency wallet addresses used by the Lazarus Group to launder the remainder of the stolen proceeds from the Axie Infinity heist. "This builds upon OFAC’s April 14, 2022, attribution of DPRK’s Lazarus Group as the perpetrators of the Axie Infinity heist and identification of the original getaway wallet address," the statement says.
Blender.io has also facilitated money laundering for Russia-linked ransomware groups, including Trickbot, Conti, Ryuk, Sodinokibi and Gandcrab, the statement adds.
The government is also updating its list of specially designated nationals and blocked persons to "identify additional virtual currency addresses used by the Lazarus Group to launder illicit proceeds," the statement says. On Sept. 13, 2019, OFAC sanctioned the Lazarus Group and identified it as "an agency, instrumentality or controlled entity of the government of the DPRK."
The latest sanction builds on the Treasury's recent actions going after the illicit underbelly of the overall growing crypto economy, says Ari Redbord, ISMG contributor and head of legal and government affairs at blockchain intelligence company TRM Labs.
The U.S. government, in the recent past, has sanctioned darknet market Hydra; noncompliant exchanges Suex, Chatex and Garantex; "and now a mixing service that facilitates money laundering," says Redbord, who was previously the senior adviser to the deputy secretary and the undersecretary for terrorism and financial intelligence at the U.S. Treasury. He has also worked with OFAC to use sanctions to safeguard the financial system from illicit use.
The Treasury has also taken stringent actions against noncompliant virtual currency mixers themselves in the past. In 2010, the Treasury’s Financial Crime Enforcement Network issued a $60 million civil money penalty against the owner and operator of a virtual currency mixer for violations of the Bank Secrecy Act.
In the case of Blender.io, however, the key is the focus on national security, Redbord says.
"These sanctions are in direct response to the Axie Infinity exploit by North Korea. Treasury is clearly using blockchain intelligence to track and trace the funds, and targeting those entities that facilitate Lazarus' money laundering. This hack does not just mean stolen funds - it means that North Korea could use these funds to support destabilizing activity and weapons proliferation," he says.
These sanctions, he adds, are going to be effective in not only shutting down Blender.io, but will also send a message to mixers that it is critical to put compliance controls in place to screen for sanctions (see: Treasury Department Tells Companies to Comply With Sanctions)
Callahan, who is currently the director of government and strategic affairs at Blockchain Intelligence Group, agrees. "Virtual currency mixers play a role supporting cybercrime when they fail to implement anti-money laundering procedures into their systems. It is not sufficient for these mixers to claim that the funds they received came from a non-sanctioned wallet when we can see that one or two 'hops' prior from a sanctioned wallet," he says.
Law enforcement, Callahan adds, will need to "bring more criminal charges against the developers and those who profit from these mixers."